Expert advice on cybersecurity, cybersafety and cybercrime. Using real incidents, I explain why cyber risks occur, what form they take, and how they affect cybercitizens as individuals, employees, citizens and parents. Opinions expressed in this blog represent my personal views

Pages

Sunday, June 30, 2013

Children use
social networking sites like Facebook extensively to communicate and chat with
their friends and strangers. Children are exposed to “stranger danger” or “cyber
bullying” or trolling when they post information of value and their privacy
settings are not appropriately set allowing criminals, bullies, perverts and
pedophiles to view their posts.

Many of these
sites have member enabled privacy settings to restrict the viewing audience to preset
categories such as friends, friends of friends and public. These broad privacy
mechanisms are not sufficient to prevent determined strangers from viewing
posts by surreptiously becoming part of these categories.

If your child
does not accept strangers as friend because you have taught him well, but his
friend does, then his post with a friend of friend restriction will be viewed
by the stranger. The stranger can then comment on the post which will in turn
be seen by your child. Eventually, this familiarity and the fact that the
stranger is a friend of a friend may eventually lead to the stranger’s
acceptance as a friend.

Types of personal
information that puts a child or family at risk are:

Disclosure of identity, home address and movements

Disclosure of information on family issue or wealth

Financial information

Sharing of passwords due to teen culture

Sexual explicit messages and videos sent to partners can be put online when the relationship sours

Embarrassing photo’s or video’s and hurtful or insulting contents

Personal
information may be posted voluntarily or in chat room conversation. In chat
rooms children may disclose information that they would not normally post when
asked a question by a trusted strangers or even because they believe that they
are anonymous. Personal information can be disclosed through a variety of ways.
Listed below are a few of them:

Saturday, June 29, 2013

One would
think it impossible. If we look at recruitment scams as an example; an analysis
would show that in reality such cons are fairly common and claim highly educated
engineers and graduates as victims (India’s
eager IT graduates fall for fake interview scams). Most of these schemes
thrive on fake mails, advertisements and even offer fake appointment letters (Fake
job letters scam in Air India). The con artist makes money by convincing
each interview applicant to deposit a small sum of money into a personal bank
account prior to the job interview.

Most people
fall into such schemes because these artists sweet talk prospective job seekers
by preying on their emotional needs for a blue chip job. So perfect is their selling
pitch that their victims fail to apply basic reason and do reference checks to
verify the claims made. In the IT recruitment job scam, the recruitment pages of these
companies have a clear warnings on these scams. In one such scam 1,500
victims were provided with fake employee letters and travelled from many
North Indian cities to Pune, a city in West India. They only found out that their
appointments were not real, when they reported for work.

Every request
for money is backed by a believable story. In the IT job interview scam the money
was to be used for travel expenses, and the rationale behind the use of a third
party and not a company account was to be able to refund the money quickly,
post the interview.

Similar confidence
tricks are used in various types of financial frauds. The job recruitment
scheme nets around Rs 7500 or USD 200 for each victim, but financial frauds can
wipe away entire savings and lead victims to commit suicide.

Many of these
fraudulent financial schemes actually operate from a registered company with
many employees. They use celebrities to endorse their schemes and build credibility.
Most of these employees may not be aware that their company is actually
involved in large scale fraud until it fails to repay investors. A good example
is the case of an Indian
couple who fooled 200,000 investors for a net collection of 60m$.

a)Never
make a buying decision immediately after you have heard the sales pitch for a
get rich quick scheme. Give it 24 hours for the emotional effect to wear off
and your logically mind to check and verify the scheme

b)Don’t
share personal information, such as your worries as this will be used to sell
the scam to you. Con artist normally asks more questions than the victims do. Greed
is the surest means to convince people to take part in schemes.

c)Always
ask “What in it for them”. If this is such a great scheme than why are they
calling me about it?

Thursday, June 27, 2013

I recently
moderated a panel on the topic “Should the Role of the CISO be more independent”
at the TOP 100 CISO award function in Mumbai, India.

The
increasing awareness of the vulnerability of organizations to cyber-security
risks such as corporate espionage and compromise of intellectual property
resulting in service failures and reputational damage, has made visible the
gaps in appropriate cyber-protection strategies

Unfortunately,
these changes have not yet resulted in raising the visibility of the CISO function
or enabling a higher degree of autonomy for the role. The limited exposure of
the CISO’s role to the organization’s CEO significantly limits the ability of
the CISO to articulate such risks in a contextual manner to business,
consequently reducing the CEO’s visibility into cyber-security risks that could
eventually impact profits & growth.

Over 60% of
today’s CISOs still report to the CIO, and are considered a part of the IT
function. In a recent show of hands by the Top 100 Indian CISOs during a panel
event I moderated, over 90% voted for a more independent yet empowered
structure. Most CISOs felt that the heightened accountability of the function
should correspond with increased powers over budget allocations, technology adoption,
recruitment decisions and operations.

In a poll
which I ran amongst a few members of the ISF (Information Security Forum), the
respondents emphatically voted for an independent & empowered CISO function
which they felt would make the role more effective and strategic.

Involving the
CISO in the strategic decision-making process will ensure that security is
accorded due priority. In the near future, it is very likely that CISOs will
play a strategic role due to the rising cost & impact of cybercrime, and the
adoption of business & technical changes due to consumerisation and the cloud.

A child suffers abuse when cyber risks
translate into cyber harm. The“Top 9 mild and severe
cyber risks that kids face online”illustrates
the key risks parents should be aware off.
Most children adapt and shrug of exposure to mild cyber risks, but encounters
with severe risk scar children for a long time. Mild risks are commonplace
and usually dealt with by the child without parental involvement; as is to be
expected in an emerging Gen Y society which is establishing the social rules for the
use of cyberspace.

Instances of severe cyber risks are much
fewer. Most go unreported and untracked by crime statistics which reduces their
importance to society as against other forms of more violent and physical
crime. Cyber risk turns in to cyber harm
when a vulnerable child is exposed to a severe form of cyber risks such as
pedophiles or excessive content. If a
child is a victim the psychological damage can rob the child of his/her childhood..

Parents with
intimate knowledge of their child’s psychology and behavior can easily identify
if their children are susceptible to cyber harm. Typical evidence of
vulnerability is excessive interests in adult or violent contents, fixations on
adult issues such as to look slim due to peer pressure, or simply the need to
confide in strangers because of problems at home.

Parental guidance
and regular frank discussions on the use of the Internet is the best way to provide your
child with the ability to steer past these risks and enjoy a safer online
experience.

Saturday, June 22, 2013

Children constantly face cyber risks every time they go online. In
all there are four major categories of such risks namely content, conduct,
contact and cybercrime; with content being the largest of all. My earlier blog “Keep
children safe by being aware of the 4C’s of risks children face online”
provides an overview of these risks. The degree of
cyber risks to which individual children are exposed to varies from mild to
severe. Children normally cope with mild risks but need help when exposed to
severe risks. Examples of mild and severe risks are depicted in the picture below.

Tuesday, June 18, 2013

A recent survey of 17,478 students between the ages of 12-18 years, in twelve Indian cities by Tata Consultancy Services (TCS) threw up an interesting set of statistics on how Indian Gen Y Kids used technology. I analyzed the cyber risk associated with these trends.

1 out of 4
students spent over an hour online each day, primarily for school work and to
chat/connect/blog.

Risk:
Children constantly face cyber risks every time they go online. The degree of
cyber risks to which individual children are exposed to varies from mild to
severe.In all there are four major
categories of such risks namely content, conduct, contact and cybercrime; with
content being the largest of all.

Other popular
uses were to download music, access email and view movies

Risk:
Unknowing introduction of malware on home computers when children surf,
exchange files and download attachments. These attachments contain unseen
malicious software which hackers can then use for cybercrimes.4 out of 10
student shop online for books, music, and tickets (movie, airline and
railways)

Risk: These
children have access to credit cards which can be misused for online shopping,
games or to buy access to premium adult content.

6 out of 10
students owned a Smartphone and 1 out of 4 used then to browse the net.

Risk:
Children can use the internet without parental supervision to access
inappropriate content such as adult content and chats.They can also fall victim to online predators
who entice children. The Internet provides anonymity, which allows such
individuals – on social networking sites, chat rooms, or elsewhere – to assume
multiple personalities, and pretend to be of a different gender and a wrong
age. The absence of physical interaction brings in a false sense of security.

8 out of 10
students used Facebook for socializing and chatting

Risk: Loss of
privacy as information children post about themselves and their family such as
wealth, travel plans, and relationships can be used by thieves, predators, and
others with bad intentions. Children need to be educated on what information
could and should not be posted online. Another, key risk is Cyber bullying, in
which a bully posts offensive, derogatory and hurtful comments which affects
the victim’s self-image, esteem and relationship with other children.
Information posted in blogs, posts, photos or comments, however thoughtless or
baseless, do take an emotional toll of their victims.

Monday, June 17, 2013

Children constantly
face cyber risks every time they go online. The degree of cyber risks to which individual
children are exposed to varies from mild to severe. In all there are four major categories of such
risks namely content, conduct, contact and cybercrime; with content being the
largest of all.

Vulnerable or
highly adventurous children normally face exposure to severe forms of cyber
risks such as pedophiles. These children are sought out as targets due to their
gullibility, ease of emotional exploitation or simply due to their interests in
adult subjects. Most children who are affected by mild cyber risk have learned
to cope, without much support. Vulnerable children who fall victim,
display signs of anxiety, withdrawal from the Internet and may even not want to
go to school for several weeks. These children require support from peers,
family and teachers to bail them out of the situation they are in.

Parents should
be able to determine when their children are exposed to cyber risks and to what
extent they are vulnerable. Frequent conversations with their child on net use
are the most popular method, practiced by over 75% of parents. When children
report a problem, parents must be supportive.

Monday, June 10, 2013

Sending
embarrassing tweets, posting merchandising spam, or deliberate lock outs are a
normal consequence of hacked twitter accounts. An account is compromised when
an unauthorized user has been able to obtain (and perhaps change) the original
username and password or has gained access to an open twitter session (such as via
access to a phone or tablet with stored credentials). Indications of a hacked
account are:

Noticing unexpected tweets or unintended direct messages

Hijacking of the twitter accounts, deactivation or change of username

Access granted to new applications

Unexpected behavior like following, unfollowing, and blocking

A hacker may
be a disgruntled friend, a prankster, someone who found your lost phone or a
professional hacker motivated by financial or ideological gain. As one would
imagine, hacking a twitter account may be as simple as seizing an opportunity
to access an unattended mobile device with an active twitter connection, using
phishing a social engineering technique to convince a user to part which
his/her credentials, or even by guessing weak passwords. Most of us fail to
follow security best practices, are security unaware or simply falling victim
to a convincing con scheme to give away our security credentials.

A small
subset of hacking attacks is technically sophisticated even beating the defense
put up by security conscious users. Typically, such attacks are targeted
against prominent individuals, media firms, companies and celebrities. The
objective of these attacks are to propagate an ideology, embarrass a firm or to
make money by sending spam to a large follower base from a celebrity twitter account.

There are
several ways twitter accounts can be hacked into. Some attacks directly compromise
twitter accounts and others indirectly, via associated email and third party
accounts. In the table below, we examine
how we can defend against seven types of attacks.

The key
objective of our exercise is (a) to defeat the attempts of non skillful
hackers, (b) to make it difficult for
professional hackers to compromise our account, and (c) to reduce the impact of
a compromise if it so happens. We must also assume that being fallible humans
it is not possible for us to follow security best practices.

Attack

Description

Defense

Limitation

Guess
You Password

Your weak password was
easily guessed by a hackere.g.
twitter123

Use Twitter two factor
authentication (2FA) i.e additional authentication using SMS), which forces a
hacker to obtain additional access to your phone or to intercept the twitter
2FA SMS to take control of your account, which poses quite a challenge.

Use strong passwords

Twitter 2 FA Service
is not offered by all mobile companies

Password
Resets

Your password was
changed by a hacker who previously compromised your email id registered for twitter password resets. The hacker simply reset you twitter password,
received the reset link in the compromised email account and then changed the
twitter password

For both your twitter
and email accounts

Use 2FA (additional
authentication using SMS)

Use strong passwords

Twitter 2FA Service is
not offered through all mobile companies

Not all email services
offer 2FA

Obtain
Access to your cell phone or tablet

The hacker obtains
access to your cell phone. Normally, users remain logged on to twitter as
well as to their personal email account on mobile devices. Accounts can then
be easily used or passwords reset.

Password protect your
cell phone, and set the phone to lock out on ten failed tries. For a higher
level of security, one can erase the phone data on ten failed lock out
attempts. This works when you take a regular backup of the cell phone data.

Use complex passwords
as simple passwords can be easily cracked with software. This is an inconvenience,
which is worth the effort. Even a complex six digit numeric code, with ten
lock out attempts will do

Reset your twitter,
email and other passwords if your phone has been lost or stolen

Slight inconvenience
when using the phone or tablet.

Phishing

You part with your twitter
credentials, in response to a con mail claiming to come from either twitter
or your email providers customer support team

Be aware that you
should never part with your credentials. No firm asks for these credentials

Trojan
(malware) based attack

You download Trojans
on your desktop or phone which steals credential and forwards them to the hackers

Use antivirus software

Use 2FA

It is difficult for
users to recognize malicious apps and websites.

2FA Service is not
offered through all mobile companies

Exploitation
of Vulnerable Twitter API‘s

Your password is
stolen through the exploitation of a technical vulnerability in the Twitter service

Twitter, on detecting
such breaches, locks these accounts and sends a password reset notification

Exploit
third party applications

Access to your twitter
accounts is obtained via third party applications that have been given rights
to write to your twitter feed.

Review your list of
third party applications in the twitter account setting page (application
tab) and revoke these applications.

Use strong passwords
for these applications

Change the twitter
password on detection of unintended posts through these accounts

Do not grant access to
websites which promise more followers or applications which post
advertisement. Some of these may be malicious or prone to being hacked themselves

Awards

About Me

Security author and passionate blogger @LuciusonSecurity writing on risks that affect Internet users such as cyber crime, defamation, impersonation, privacy and security. Working hard to reduce cyber risks to some of the world's largest businesses. Find me on Twitter @luciuslobo or Linkedin at http://in.linkedin.com/in/luciuslobo